MS-500 Microsoft 365 Security Administration-Securing Microsoft 365 Hybrid Environments Part 1

  1. Foundation of Active Directory Domains

So I want to start out by doing a drawing to help everybody understand some of the fundamentals of where the industry was, where it is, and kind of where things are flowing right now, especially from the standpoint of Microsoft. So I want to kind of take you back in time a little bit and help you understand. It will really help you understand where things are moving right now if you can also sort of look at where things were at one time. So if you went back far enough, of course, I’m not going to go back too far. You had the 1960s, you had mainframes. And as we moved into the 1970s, you also had mainframes, these massive computers that were like room size or at least refrigerator size in most cases. And then as we moved into the 1980s and standardization occurred, computers, the pricing of computers went down and companies could actually afford to get what is called a personal computer.

And of course, with the invention of that concept, you had what was called peer to peer networking. So this little thing that I’m drawing is going to represent a few personal computers. Let’s say that in your organization your company has 1000 computers. And again, I’m drawing this out. A lot of times people will ask me, they’ll say, why don’t you just have it all pre drawn out? Because I’m going to draw a bunch of things. And it kind of gets overwhelming when there’s a bunch of things on the screen. So I like to kind of draw it out as I talk. Okay, so we start out with a bunch of computers. Let’s say we have 1000 computers now from an It person standpoint. As we moved into the 1980s and companies wanted to share resources with each other, there was different companies that played a role in this.

Microsoft played a role in It with Dos and then Land Manager, and then a company called Novel played a huge role in it. Of course there was also Unix. And then we moved into the 1990s and this became more and more popular as time went on. And as companies grew and started needing to be able to manage more and more computers, they needed a system for doing that. And at the time, all we had was what was known as a peer to peer network, which meant every computer is sort of on its own, every computer is its own boss. And that meant that you had to sit down and configure each computer individually. Imagine doing that with 1000 computers. One solution to that was to create scripts, log on scripts that would automate the process of setting these computers up. But it was still a lot of work.

And if you had to change one thing on one machine, you had to change it on the others. And every computer had to have usernames and passwords that were separate from the others. And it just got crazy. So what Microsoft did, and again we’re kind of focused on Microsoft here is they created the concept of what is called a domain. Their concept was based on some concepts that Novell had implemented and Unix had implemented. And by the time we reached the late 1990s, by the time we reached the late 1990s, microsoft had released Nt Four and had domains. And the goal of a domain was centralization. Microsoft created a new directory service and a new concept for domains. In fact, the symbol of what is called a Microsoft domain is the symbol of a triangle. Okay? So they created this triangle, this domain.

And the domain would act sort of as the security boundary for your company, all right? For your computers. So your computers would go inside the security boundary. You had 1000 computers here. Part of the security boundary, of course, something that you did need to deal with all this is you needed servers that could help you manage these computers. So with that, Microsoft had what was called a domain controller. A domain controller is a server that has a special database. All right? This little cylinder looking thing that I’m drawing is going to be the symbol of a database right here. And that database is called active directory.

Okay? Ad Active Directory is the directory services structure that manages our Microsoft domains. Now that directory service is where your user accounts, passwords groups, all of that stuff is going to live. And with the creation of domain controllers also came these things called group policy objects. GPOs. GPOs allow us to deploy restrictions and settings out to all these machines. So I have the ability to implement this thing called the GPO. And the GPOs can apply to all of these computers and they get configured based on the GPO. And of course, generally speaking, when it comes to a domain controller, a DC, you want to have more than one of those.

And why do you want to have more than one domain controller to manage everything? Well, it’s kind of the same reason that we want if you go to a grocery store and you get a cart load of groceries and you’re checking out and you’re taking your cart loaded groceries to the front of the store to check out. The last thing you want to see is for there to be one cashier open, one cash register open to check you out. What do you want to see when you get up there? You want to see a lot of open aisles of cash registers with people working those cash registers where I can check out and buy my stuff and leave. What I don’t want to do is get to the front and there only to be one cash register open and there’s a line of people waiting to get out. Well, here’s the thing.

All of these computers right here, these 1000 computers that I have need to talk to these domain controllers. If I’ve only got one, then you’ve got one machine that’s basically having to manage everybody. So you want more than one. There’s basically two main reasons why we have more than one of anything, right? Redundancy, also known as fault tolerance and load balancing. So if one domain controller fails, we’ve got another one running. The other reason is for performance. We don’t want all of these clients, all of these machines having to just go to one domain control. We prefer them to go to multiple. Now, the other great thing about domain controllers, when you think about domain controllers, is domain controllers replicate.

So anything I do to one domain controller, like, let’s say that this little smiley face guy here that I’m going to create, okay, kind of a jacked up smile, this little smiley face guy that I’m going to create here, this guy is a user account, all right? So what’s going to end up happening is your user account. You create this user account on this domain controller. Guess what? It’s going to replicate to this other domain controller over here, and it synchronizes that way through what is known as Active Directory replication. So this little arrow that I’m drawing is just kind of indicating to you that they’re replicating together and all that stuff. So if you were to come to me and you were to say, why am I needing to have a domain? Why not just stick with the old style, which was peer to peer networking? This is what I would tell you.

I would say centralization. That’s why I can tell you why Active Directory is so important in one word, centralization. A lot of people would say security. Security is important, but centralization is why this is such a key thing we use in our environments. I can manage everything using these domain controllers. My company can actually have multiple domains. There’s these things called trees and forests and not going to get into that right now, but I can manage my infrastructure using Active Directory. Now, there are some other key fundamentals to understand about Active Directory. First off, the naming system that Active Directory uses, that domains use for managing everything is based upon DNS domain name system, okay? Your domain’s name will have to be named based upon a DNS style name.

So, for example, if I work for a company called Exam Lab Practice and my web presence is Examlabpractice. com, then my domain name may also be called Examlabpractice. com. That might be the name of my DNS name, okay? And all my computers will be based on that DNS name. So if I had a computer called Client One, his DNS name, his fully qualified domain name, as it’s called, might be called Client One, examlabpractice. com inside this domain. But on top of that, you have to have a server that’s going to manage all that. So we have to have something called a DNS server domain name system. Server. And what’s that going to do? Well, we need domain name servers for the same reason you have an address book with your phone.

You don’t really like having to memorize lots of phone numbers, right? So you have an address book, you’re able to type somebody’s name and their phone number in, and then later you can access their name and get access to the phone number and make the call. Well, DNS does that, except it does it for IP addresses. All these devices have IP addresses, and they’re going to be registered into your DNS database. Now, saying that database, that means that there’s also got to be a database on that DNS server. The DNS database is often called a zone database. It’s often called a namespace database. Okay? And from there, I’m just going to kind of color code this. We’ll say that Exam Labpractice. com being the company’s name. And this database you see here is going to manage that.

So I’m highlighting it in red, just like it is. I’ve basically bordered it in red as well. So we got to have DNS. Now, what’s going to happen is these computers are all going to boot up, including if I had a server, these computers are all going to boot up, and they’re going to register with DNS, including this file server guy here that I’m making. I’m going to call him file server. So they’re going to boot up, and they’re all going to register their names in DNS. The domain controllers are going to register. The file servers are going to register. Everything’s going to register inside DNS. This is a topic known as dynamic DNS, and this is going to allow computers to all register.

Now, what happens is every one of these machines your client computers, your servers, they all have to locate DNS by their IP settings, and they’re going to ask DNS who these guys right here are so that they can all authenticate. So these clients, when they boot up, they’re going to say, hey, DNS, do you happen to know who my domain controllers are for my environment? And DNS is going to reply back with this information known as service records, SRV information, and it’s going to point the client to these domain controllers. The other great thing about Active Directory, active Directory supports the ability to point people to the nearest domain controller so that they can log on and get authenticated. The authentication system that Active Directory uses is based on a protocol called Kerberos.

When you hear that name protocol, I want you to think language. It’s basically like a language they speak. And Active Directory security and querying language is built off of two protocols, really. One of them is called LDAP Lightweight Directory Access Protocol, which is basically a query language, and Kerberos, which is going to be your security authentication language that it uses. Okay? So as we moved into the year 2000s, active Directory was released, and this was the big thing everybody’s doing. And of course the big thing too is we also have to have an Internet connection. So there’s little cloud thing that I just made here. This is going to be my Internet connection. And so we’ve got an internet connection coming into our company here and we’re also going to have to protect our Internet.

So we’re going to have a firewall. So this little guy right here will be my firewall. And my firewall is connected to my internal network as well as my outside world Internet connection. Of course that’s routing is involved there and all that stuff as well. All right, so the Internet is the big thing. Everybody’s wanting to be on the Internet and be secure and be able to access resources. So Microsoft is making technologies that are available to do this though. LDAP and Kerberos are both internal based technologies that are not really stuff, something that you expose to the Internet, which is why you guys to have protection and all of that.

  1. A foundation for Remote Access, DMZs, and Virtualization

So occasionally you might find yourself in a situation where somebody from the outside world needs to get in. And there’s two real ways to approach that. One would be somebody who’s part of the company, like maybe this guy here and he needs to access resources inside the network here. So maybe the file server or some of these clients or something like that. So what we could do is we would set up this thing called a Raz server, ras Remote Access Service. Raz supports something called a VPN virtual Private Network. VPNs would allow people to remotely connect in, securely encrypted to that Ras server. And then they could access things like the file server, things like that.

And so that’s all wonderful and great. The one thing though about VPN users is they have to authenticate, they have to prove who they are. What about this situation though? What if your company wanted to host a web server? All right, they want to host a web server like this little box that I’m drawing here. And they need to make that web server available to people anonymously. In other words, people that are not part of our company. Well, you run into a slight issue there. The issue you run into is where do you put this web server? If you put this web server here on the internal network with your stuff, you’re basically letting someone who is not part of your company, you’re letting someone who is not part of your company access that web server.

If this person right here is not an employee, he is just an anonymous person on the Internet, we don’t want that person being able to gain access to this web server. Hackers can do this thing called Pivoting. Pivoting is where a hacker gains control over this server and then they’re able to actually pivot to other servers. So that would be a bad thing. We don’t want that. So one thing we could do is we could store this web server on the outside. We could store it out here outside our firewall. Of course, the problem you run into there is you’ve not left this server any protection.

Basically the server is outside your firewall. And at that point it’s completely exposed to things on the Internet. So the rule of thumb, the general rule of thumb everybody went with is they would get another firewall. So you’d get a second firewall. I’m just going to copy this guy right here. And we would put that firewall right here. And that is called a DMZ, a demilitarized zone, also known as a perimeter network. And what you would then do is you would put rules in place on these firewalls so that people out here could get in through this firewall and access the server.

But you have this firewall acting as an additional layer protection to stop things from getting in from that outside world to the inside world. Okay, so this was a pretty traditional approach. This is the way we’ve done things now for years. We’ve centrally managed things through active directory domains in the Microsoft world. And it’s a great solution and it’s worked fine. Another thing that we’ve had for years is the concept of having internal servers that do different jobs. For example, we might have an Exchange Server, which is an email server that Microsoft supports. It’s their email product actually. And we’d have an on premise email server, and people could check their email and all of that from the outside world to the inside world.

There were some things you had to implement to do that. Another thing we had was SQL Server. SQL is Microsoft database product. So we’d have SQL Servers handling databases for us. We would have something called SharePoint, which allows us to set up some different types of sites that employees can use for things. And we could do Skype for business, all of these different things. Skype for business being Microsoft sort of voiceover IP product for the longest time. And we would have, I’ll just put Skype four B to represent that we would have all of these servers in our internal environment. And guys, this is the traditional approach. The way that we’ve done things now for decades, for years, this is the way things have been done. So now what I want to talk about is moving into the future.

As time went on, as we moved into the year 2000s, we moved in the early two thousands, there was a concept known as virtualization. Now I want to warn you guys that the concept of virtualization is not a new concept. A lot of people think it is, it’s actually not. The term virtualization has been around since the 1970s. There actually was a Unix based operating system that had a thing called a hypervisor that could do virtualization. It’s just, virtualization really didn’t blossom until the early two thousands when a company called VMware discovered and created some really awesome features that could allow companies to take advantage of something called Elasticity. So I want to talk about that for a minute, the concept of virtualization.

So what I’m going to do is I’m going to move these servers over here for just a minute. We’re going to move them out of the way. And what happened was with the concept of this company called VMware, they discovered that instead of us having to buy, like, four different servers, they created a way to where we could take and we could take one physical server with a lot of power, a lot of performance, CPU, memory storage, and put all of that on this one server. And the server is known as a hypervisor in Microsoft’s world, which is the world we’re living in right now, it’s called HyperV. Okay? So there’s VMware, which is third party, there’s Microsoft HyperV, which HyperV is sort of what we learn about in this course.

So HyperV, hyper virtualization allows us to virtualize these servers. Think about it. If you can emulate hardware, CPU, memory, storage, networking, then you could technically set up operating systems that run on that emulated hardware. Well, those are called guest operating systems. These right here are virtual machines running guest operating systems. Of course, the scary thing about that, the thing a lot of people freak out about is they’re like, well, if one of those servers fails, okay, if the HyperV Server fails, I should say if it fails, you lose all access to all your servers. Well, see, that’s the beauty of virtualization.

It’s very easy for us actually to just get two servers and we can do something called Clustering where we can connect these together and we have a duplicate. Now, if one server fails, we still have that other server. In fact, these two servers can actually even be in two completely different offices if we want, okay? So I could have them in two different branch offices I want if I wanted. So notice this is going to save us a lot of money on hardware and all of that. Here’s the other beautiful thing about virtualization that they created. It’s called elasticity. Elasticity involves the ability for your virtual machines to be able to request more resources when other virtual machines aren’t using them.

So, for example, if the Exchange Server is using, let’s say, 20 gigs of Ram, and the SQL Server needs 30 gigs of Ram, and the Exchange Server currently is not needing all that extra Ram, it can release that memory that it’s not using, and the SQL Server can use it, can take advantage of it. And then if the SQL Server no longer needs that memory, it can release that memory and the Exchange Server can get it. And this is what elasticity is all about, okay? And what you’re going to find is this is the forerunner of cloud computing.

img